IBM DataPower Operations Dashboard v1.0.21.x

Internal Firewall

Owned by Copy Page Tree
Last updated: May 25, 2016 by Former user (Deleted)
4 min read

DPOD appliances use embedded host based firewall (Linux Iptables). All inbound and outbound communication is blocked with the following exceptions required for the DPOD product.

The communication rules are detailed in the Firewall Requirements topic.

The system administrator may choose to allow additional communication. The DPOD appliance includes a shell script for altering the firewall rules.

Display current firewall rules

Use the following built-in command to display DPOD's default firewall state

iptables -L

The output is :

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ntp
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:60000:60009
ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:60020:60029
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited


Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:5550
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ntp
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
CCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ldap
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ldaps
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:msft-gc
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:msft-gc-ssl

It is recommended to alter this rules using DPOD firewall update tool in order to limit access only to allowed IPs. (e.g. replace the rule that allows every IP to connect to DPOD using tcp port 60000 (syslog) to specific monitored device IP address / monitored device subnet ).

Copyright © 2015 MonTier Software (2015) Ltd.